Skip to main content

Air-gapped deployment overview

Applies to: Air-gapped deployments

SecureAuth Identity Platform (IdP) release 24.04 with update 24.5.0 introduces air-gapped deployment, enabling organizations to run identity and access management in strict network isolation. This deployment replaces cloud-hosted FIDO and Mobile Services with on-premises versions.

Support-guided implementation

Air-gapped deployment requires coordination with SecureAuth Support for licensing, deployment planning, and installation assistance. Contact SecureAuth Support to discuss your requirements and obtain the deployment package.

Architecture

Air-gapped deployments include these components:

  • SecureAuth IdP servers – Run on Windows Server 2022 Virtual Appliances

  • FIDO Service – Deployed on-premises for FIDO2 WebAuthn authentication

  • Mobile Service – Deployed on-premises for authentication app support

  • PostgreSQL database – Stores FIDO and Mobile Service configuration

  • Load balancer – Distributes traffic across SecureAuth IdP servers

  • LDAP connection – Connects to your identity data sources

Deployment model

SecureAuth IdP supports different deployment options. Air-gapped deployment is designed for environments requiring strict network isolation:

  • Cloud – All services hosted by SecureAuth

  • Hybrid – SecureAuth IdP on-premises, services in cloud

  • Air-gapped – All components on-premises without cloud connectivity

Database considerations

Air-gapped deployments require PostgreSQL to support on-premises FIDO and Mobile Services:

  • Database options – Use an existing PostgreSQL instance or have SecureAuth install PostgreSQL during deployment.

  • Connection information – Prepare connection strings for PostgreSQL and existing identity data sources.

  • Database setup – SecureAuth provides scripts to configure the database structure.

Installation approach

The installation approach varies based on your current SecureAuth IdP environment. SecureAuth Support will guide you through the appropriate process.

If you're not currently on Windows Server 2022

Most customers upgrading from SecureAuth IdP releases 9.2 through 20.06 will follow this process:

  1. Obtain Windows Server 2022 OVA – SecureAuth creates and provides a Windows Server 2022 Virtual Appliance packaged as an OVA file.

  2. Deploy Windows Server 2022 – Import SecureAuth-provided OVA file into your hypervisor (like VMware vSphere, Hyper-V, or AWS AMI).

  3. Install SecureAuth IdP 24.5.0 – Run the SecureAuth IdP Setup and Utility (SISU) installer to deploy SecureAuth IdP version 24.5.0 on the Virtual Appliance.

  4. Migrate existing data – Run the SecureAuth Migrator tool to move your existing SecureAuth IdP configuration from the old IdP server to the new IdP server.

  5. Install PostgreSQL – Set up PostgreSQL on a separate server within the same network as the SecureAuth IdP server. Skip this step if PostgreSQL is already installed.

    Note: You'll need the PostgreSQL connection string for the next step.

  6. Deploy air-gapped services – Run the standalone air-gapped installer to deploy on-premises FIDO and Mobile Services in your environment.

  7. Install FileSync tool – If you have multiple SecureAuth IdP servers, install and configure the SecureAuth FileSync tool to synchronize files and settings across all servers.

If you're already on Windows Server 2022

If your current SecureAuth IdP deployment already runs on Windows Server 2022:

  1. Upgrade to SecureAuth IdP 24.5.0 – Run the SecureAuth Updater (SAU) tool to upgrade your existing installation to SecureAuth IdP release 24.5.0.

  2. Install PostgreSQL – Set up PostgreSQL on a separate server within the same network as the SecureAuth IdP server. Skip this step if PostgreSQL is already installed.

    Note: You'll need the PostgreSQL connection string for the next step.

  3. Deploy air-gapped services – Run the standalone air-gapped installer to deploy on-premises FIDO and Mobile Services in your environment.

Planning requirements

Before contacting Support, consider these components:

  • Hypervisor platform – VMware vSphere, Hyper-V, or AWS environment

  • Network isolation – Confirm your environment operates without internet connectivity

  • Database strategy – Existing PostgreSQL instance or need for new installation

  • Identity data sources – Connection details for LDAP or other identity stores

  • Administrative access – Permissions to deploy and configure SecureAuth IdP

  • Migration planning – If upgrading from releases 9.2 through 20.06, plan for data migration

Getting started

Air-gapped deployment requires coordination with SecureAuth Support for licensing and implementation planning. Review the architecture and planning requirements above, then contact Support to discuss your specific environment and deployment timeline.

Next steps: Contact SecureAuth Support to discuss air-gapped deployment options and requirements

In this section:
See also: